What is this?

nss_vserver is a nss authentication module for linux-vserver powered systems which allows processes running on the host (sshd, getty) to authenticate users that exist on guests.

The module should almost transparently drop in to a modern Linux system: PAM would call its pam_unix module, which would in turn look through the nss modules to complete the process.

If you want to complete the guest login process, you should also get a modified version of vslogin linked to below. vslogin will pick up after authentication and deliver the user to a shell on his guest.

Note that with nss_vserver you don't need the syncshadows included in the vserverauth tarball.

Why would I use it?

Using nss_vserver and vslogin you could run a single instance of sshd on the host. This host-based server would verify the credentials of a user on a guest and then vslogin would take care of presenting the user a guest-based shell.

Installation Instructions

1. Get the appropriate version. On x86 versions you need to use the pthread version, on amd64 (and possible x86_64) you need the cthreads version (listed as nss_vserver_64). Also, on amd64 it's in /lib/, not in /lib/tls/.

2. On linux, just run

make install

* Note: on recent kernels test passes, but you unable to login via ssh. To fix that problem:

How to remove it from system?

Just run

make uninstall

Use with vslogin

After you have installed module, (and have vslogin copied to /sbin/ and suid-root) you are ready: try to login into a guest, say one named "test" with user "user", by loggin in into the host with username "test-user" or "user@test." You should find yourself logged into the guest.

Note: vslogin requires vservers root too be at /vservers, so make it as symlink to your location. For example, for debian systems need to do

ln -s var/lib/vservers /vservers

Caveats

Security

WARNING! If you have installed vslogin, NEVER give shell access to your host to users -- any user on host, who able to execute programs and modify environment will be able to log into guests as anybody he wants!

Usernames and guest names with dashes

Avoid using usernames or guest names with dashes.

The current version only tries one configuration while searching for the user in guest databases, which can cause problems:

User "user" on guest "ser-ver" when written as "user@ser-ver" will work fine, while "ser-ver-user" will be threated as user "ver-user" on vserver "ser".

User "us-er" on guest "server" when written as "guest-us-er" will work fine, while "us-er@guest" will be threated as user "er@guest" on vserver "us".